The Federal Communications Commission (FCC) has revealed new rules to shield consumers from criminals who hijack their phone numbers in SIM swapping attacks and port-out fraud. 

FCC's Privacy and Data Protection Task Force introduced the new regulations in July. They are geared toward thwarting scammers who seek to access personal data and information by swapping SIM cards or transferring phone numbers to different carriers without obtaining physical control of their targets' devices.

In SIM swapping attacks, criminals trick a victim's wireless carrier into redirecting their service to a device controlled by the fraudster. Conversely, in port-out fraud or mobile number porting fraud, scammers transfer the victim's phone number from one service provider to another without the owner's authorization.

They both cause significant financial losses, identity theft, and distress for the victim, as they lead to unauthorized access to personal accounts and sensitive information.

"These scams – SIM swap and port-out fraud – don't just put wireless account access and details at risk," said Commissioner Geoffrey Starks.

"Because we so frequently use our phone numbers for two-factor authentication, a bad actor who takes control of a phone can also take control of financial accounts, social media accounts, the list goes on." 

Secure auth before porting numbers and instant alerts

The FCC's updated rules concerning Customer Proprietary Network Information (CPNI) and Local Number Portability now mandate that wireless service providers implement secure authentication procedures before transferring a customer's phone number to a different device or provider.

Under the new regulations, wireless companies must also promptly alert customers whenever a SIM change or port-out request occurs on their accounts. Furthermore, they must take extra precautions to shield customers from SIM swapping and port-out attempts.

"We require wireless carriers to give subscribers more control over their accounts and provide notice to consumers whenever there is a SIM transfer request, in order to protect against fraudulent requests made by bad actors," said Chairwoman Jessica Rosenworcel.

"We also revise our customer proprietary network information and local number portability rules to make it harder for scam artists to make requests that get them access to your sensitive subscriber information."

FCC's move comes in response to an ever-increasing wave of consumer complaints about significant distress and financial harm resulting from SIM hijacking attacks and port-out fraud. 

In February 2022, the FBI was already warning that criminals were escalating SIM swap attacks to steal millions by hijacking unsuspecting victims' phone numbers.

The FBI Internet Crime Complaint Center (IC3) received 2,026 SIM-swapping complaints with adjusted losses of $72,652,571 last year. In contrast, 320 complaints reporting SIM swapping incidents with losses of $12 million were filed between January 2018 and December 2020, while IC3 received 1,611 such complaints with adjusted losses of over $68 million in 2021 alone.

FBI's alert came on the heels of an FCC announcement that it started working on new legislation in response to surging SIM-swapping attacks.